Fourth Circuit Holds that Violating Employer’s Computer Use Restrictions Is Not a CFAA Violation
By Andrew Crocker – Edited by Michael Hoven
WEC Carolina Energy Solutions, LLC v. Miller, No. 11-1201 (4th Cir. Jul. 26, 2012)
On July 26, the Court of Appeals for the Fourth Circuit affirmed the South Carolina District Court in holding that Willie Miller’s violation of his employer WEC’s use restrictions on its proprietary computer systems and information was not a violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. WEC Carolina Energy Solutions, LLC v. Miller, No. 11-1201, slip op. at 2 (4th Cir. Jul. 26, 2012).
With the decision in WEC, the Fourth Circuit adds to a split among the federal circuit courts over whether an employee’s violation of an employer’s restrictions on use of a computer or computerized information that the employee is otherwise authorized to access can serve as the required element of “access . . . without authorization” or access “exceeding authorized access” for proving a CFAA violation. § 1030(a)(1). In the CFAA, to “exceed authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." § 1030(e)(6). The court held that this definition is best read literally, such that a CFAA violation must involve improper access to a computer or computerized information, and not its “improper use.” WEC, No 11-1201 at 9. This reading is related, although not identical, to the Ninth Circuit’s recent en banc holding in United States v. Nosal, No. 10-10038 (9th Cir. April 10, 2012), previously reported on by the Digest, and in direct conflict with other circuits’ construction of the statute, notably the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
Bloomberg BNA provides an overview of the case. Eric Goldman Blog has more context on the circuit split.
The case arose when Miller quit his job at WEC, a welding firm that specializes in serving the “power generation industry.” WEC, No. 11-1201 at 4. Before leaving WEC, Miller allegedly used his authorized access to the company’s intranet and violated its computer use policy by downloading proprietary information to a personal computer. Id. Miller allegedly further violated the policy by using this information in a sales presentation on behalf of a competitor of WEC, which subsequently hired him. Id. WEC brought suit for a number of state law claims and for several violations of the CFAA, including § 1030(a)(4): "knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value." Id. at 3. Holding that the CFAA did not provide relief from Miller’s improper use of information that he otherwise had authorization to access, the district court dismissed the CFAA claim and refused jurisdiction over WEC’s state-law claims. Id. at 2, 5.
In affirming, the Fourth Circuit considered a number of factors. First, because the CFAA provides for both civil and criminal penalties, the court found that in the interest of uniform application, the rule of lenity dictated a strict construction of the statutory language. Id. at 8. Under this strict construction, improper use of information that an employee was authorized to access could not fit the definition in § 1030(e)(6). Second, the court rejected an interpretation proposed by WEC and adopted in Nosal in which the word “so” in § 1030(e)(6) is read to mean “in that manner.” Under this reading, obtaining information in an unauthorized manner, such as when Miller downloaded the information to his personal computer, would be a CFAA violation. However, the court found that this interpretation, though plausible, was “not clearly warranted by the text,” and thus the rule of lenity further counseled reading the statute to “criminalize [only] obtaining or altering information that an individual lacked authorization to obtain or alter.” Id. at 11.
Finally, the court rejected the approach adopted by the Seventh Circuit in Citrin relying on common law agency theory, whereby an employee who accesses employer information with interests adverse to the employer in breach of fiduciary duty does so without authorization. Id. at 6. The court rejected this reading as an implausible interpretation of Congress’ intent, since it would have “far-reaching effects.” Namely, “any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.” Id. at 12.
The decision is significant because it likely closes the door in the Fourth Circuit on the theory of employees’ violations of their employer’s computer use restrictions as CFAA violations. This, the court wrote, “likely will disappoint employers hoping for a means to rein in rogue employees.” Id. at 13. In addition, the decision adds fuel to speculation that the Supreme Court may be pressed to settle the circuit split on the interpretation of the statutory language, writes Orin Kerr at the Volokh Conspiracy. Yet Kerr notes that the Senate Judiciary Committee has been considering amendments to the CFAA that would render a Court decision effectively moot, creating further uncertainty.
Andrew Crocker is a 3L at Harvard Law School who regularly lies on social media profiles.